Analysis
-
max time kernel
165s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 04:11
Static task
static1
Behavioral task
behavioral1
Sample
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe
Resource
win10v2004-en-20220112
General
-
Target
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe
-
Size
168KB
-
MD5
d1abc3eb8ef2ea349269f836b8a65212
-
SHA1
9c6bdf06e06e0fdf98dca643c2c00eab2523a980
-
SHA256
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a
-
SHA512
c963504403ec5656a8b88289d2d991dcd41d5e63b97586b2a07af329ec79fd76066e443c428b47a586c5cc11a46ceebaa1c4aae2bc51d029fbc06db76392f452
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1088-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2896 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.825044" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4336" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.973461" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4172" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892891795260998" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exedescription pid process Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeIncBasePriorityPrivilege 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe Token: SeBackupPrivilege 1504 TiWorker.exe Token: SeRestorePrivilege 1504 TiWorker.exe Token: SeSecurityPrivilege 1504 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.execmd.exedescription pid process target process PID 1088 wrote to memory of 2896 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe MediaCenter.exe PID 1088 wrote to memory of 2896 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe MediaCenter.exe PID 1088 wrote to memory of 2896 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe MediaCenter.exe PID 1088 wrote to memory of 3036 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe cmd.exe PID 1088 wrote to memory of 3036 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe cmd.exe PID 1088 wrote to memory of 3036 1088 15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe cmd.exe PID 3036 wrote to memory of 3564 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3564 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3564 3036 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe"C:\Users\Admin\AppData\Local\Temp\15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15d33eee644b3a7b2f7c08d5e87057130911a88555b7c25901adc701e957c21a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3564
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3052
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
de1bec901d508af56dce9a64bbc2c40e
SHA1e4edb9ece1bdb419175f05c5f25606cd38b4789e
SHA25650f9ac76e4e56308aa4be2c045c024161e6f361456496f0badcbb945e1738806
SHA512a1695ac1549e08f1364dc1f5b451f9b19a70a1dab891bc84e6113ffc875cbfbeb7d9ca832fef3531562019acf7ba0087ddf95ff9db89ce199f27b58b26a0a349
-
MD5
de1bec901d508af56dce9a64bbc2c40e
SHA1e4edb9ece1bdb419175f05c5f25606cd38b4789e
SHA25650f9ac76e4e56308aa4be2c045c024161e6f361456496f0badcbb945e1738806
SHA512a1695ac1549e08f1364dc1f5b451f9b19a70a1dab891bc84e6113ffc875cbfbeb7d9ca832fef3531562019acf7ba0087ddf95ff9db89ce199f27b58b26a0a349